[
https://issues.apache.org/jira/browse/DOXIA-697?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sylwester Lachiewicz updated DOXIA-697:
---------------------------------------
Affects Version/s: (was: 1.12.0)
> Upgrade commons-text to 1.10.0
> ------------------------------
>
> Key: DOXIA-697
> URL: https://issues.apache.org/jira/browse/DOXIA-697
> Project: Maven Doxia
> Issue Type: Dependency upgrade
> Affects Versions: 2.0.0-M5
> Reporter: Sylwester Lachiewicz
> Priority: Major
> Fix For: 2.0.0-M6
>
>
> Fixes possibility to use
> [CVE-2022-42889|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42889]
>
> {{Apache Commons Text performs variable interpolation, allowing properties to
> be dynamically evaluated and expanded. The standard format for interpolation
> is "${prefix:name}", where "prefix" is used to locate an instance of
> org.apache.commons.text.lookup.StringLookup that performs the interpolation.
> Starting with version 1.5 and continuing through 1.9, the set of default
> Lookup instances included interpolators that could result in arbitrary code
> execution or contact with remote servers. These lookups are: - "script" -
> execute expressions using the JVM script execution engine (javax.script) -
> "dns" - resolve dns records - "url" - load values from urls, including from
> remote servers Applications using the interpolation defaults in the affected
> versions may be vulnerable to remote code execution or unintentional contact
> with remote servers if untrusted configuration values are used. Users are
> recommended to upgrade to Apache Commons Text 1.10.0, which disables the
> problematic interpolators by default.}}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
